Award-winning news, views, and insight from the ESET security community

Phone biometric security need to be controlled, says ex-GCHQ chief

The former head of the UK's government's communications agency GCHQ has issued warnings over the privacy of the biometric security increasingly favored in top-end mobile phones and other devices, Computing reports.

The former head of the UK’s government’s communications agency GCHQ has issued warnings over the privacy of the biometric security increasingly favored in top-end mobile phones and other devices, Computing reports.

The former head of the UK’s government’s communications agency GCHQ has issued warnings over the privacy of the biometric security increasingly favored in top-end mobile phones and other devices, Computing reports.

Both Apple and Samsung’s flagship handsets use fingerprint sensors to protect the contents of the phone, and although neither are foolproof – as reported on We Live Security here and here – it is the privacy of the data which concerns Sir John Adye, who headed the agency from 1989 to 1996.

“I don’t know what happens to my personal data when I use it on a smartphone,” Adye said, giving evidence to the Commons Science and Technology Committee on biometric technology. “If you go to an ATM and put in your credit or debit card, that system is supervised by the bank in some way. But when you’re using your smartphone… there’s no physical supervision of the system.”

“You need to design security methods… which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end… the bank or whoever it is, who is providing a service to them,” the BBC quoted Adye of adding.

While praising biometric security as a positive step, he warned that criminals would be working on ways on circumventing the new security measures, stating that they are “very inventive at finding ways in.”

Elsewhere in the committee, biometrics expert Ben Fairhead was quizzed on the risks of criminals faking their way past biometric security. “There’s a whole science around anti-spoofing and all sorts of methods you can employ to work out ‘Is this finger… made of flesh and is there blood pumping around it?,” Fairhead explained.

However even this could lead to “spurious results”, and he explained that cybercriminals were trying to keep up, even going as far as to add iron filings to fake fingers to mirror the skin’s conductivity.

“It still ends up being an arms race, or an arms, legs and fingers race, between you and the attackers,” he warned.